Virus:VBS/Invadesys.A is a VBScript virus that infects other script files, spreads to removable drives, terminates processes and may delete files with specific file extensions.
Installation
When the virus is executed, it drops files using the currently logged on user's name as a filename, as in the following examples:
To assist in hiding the dropped files, Virus:VBS/Invadesys.A sets the file attributes as Hidden and System.
The virus modifies the registry to run a dropped copy of the virus at each Windows start.
Adds value: Load
With data: "<system folder>\WScript.exe <system folder>\<user name>.vbs %1 %*"
To subkey: HKCU\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows
The virus modifies the registry to execute a dropped copy of the virus whenever files having a file type of "text file", "help file", "reg file" or "chm file" are opened:
Modifies value: @
With data: "%SystemRoot%\System32\WScript.exe <system folder>\<user name>.vbs %1 %* "
In subkey: HKLM\Software\Classes\txtfile\shell\open\command
Modifies value: @
With data: "%SystemRoot%\System32\WScript.exe <system folder>\<user name>.vbs %1 %* "
In subkey: HKLM\Software\Classes\hlpfile\shell\open\command
Modifies value: @
With data: "%SystemRoot%\System32\WScript.exe <system folder>\<user name>.vbs %1 %* "
In subkey: HKLM\Software\Classes\regfile\shell\open\command
Modifies value: @
With data: "%SystemRoot%\System32\WScript.exe <system folder>\<user name>.vbs %1 %* "
In subkey: HKLM\Software\Classes\chm.file\shell\open\command
The virus makes other changes that disables viewing hidden files, and hides operating system files:
Modifies value: "CheckedValue"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\Showall
Modifies value: "ShowSuperHidden"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
The virus then enables AutoPlay for Removable, Fixed, Network, Optical and RAM drives by making the following modification:
Modifies value: "NoDriveTypeAutoRun"
With data: "129"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Spreads Via…
File Infection
Virus:VBS/Invadesys.A seeks files with file extensions ".hta", ".htm", ".html", ".asp" and ".vbs" and appends a modified copy of itself to each found file.
Fixed and Removable Drives
Virus:VBS/Invadesys.A searches for all drives that are specified as removable, fixed and network drives. For each drive found, the virus attempts to copy itself to the drive as the following:
<drive root>\autorun.inf - detected as Virus:VBS/Invadesys.A!inf
<drive root>\<virus file name> - detected as Virus:VBS/Invadesys.A
The autorun.inf file contains execution instructions for the operating system, which are invoked when the drive is viewed using Windows Explorer. It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.
After copying the above files to the drive, the virus adds System and Hidden attributes to the files.
Payload
Terminates Programs
VBS/Invadesys.A may monitor and terminate any of the following processes:
ras.exe
360tray.exe
taskmgr.exe
cmd.exe
cmd.com
regedit.exe
regedit.scr
regedit.pif
regedit.com
msconfig.exe
SREng.exe
USBAntiVir.exe
Deletes Files
VBS/Invadesys.A may delete multimedia files with the following file extensions based on certain sequences of characters found in the file names:
.mpg
.rmvb
.avi
.rm
Displays Message
If the current logged on user name is "Admin", VBS/Invadesys.A may display a message box containing the following text:
"You Are Admin!!! Your Computer Will Not Be Infected!!!"
Analysis by Cristian Craioveanu
